Measures for the Security Assessment of Data Exports
The "Measures for the Security Assessment of Data Exports", were deliberated and adopted on May 19, 2022, at the 10th office meeting of the Cyberspace Administration of China for 2022, are hereby promulgated, and are to take force on September 1, 2022.
Zhuang Rongwen, Director of the Cybersecurity Administration of China
July 7, 2022
Measures for the Security Assessment of Data Exports
Article 1: These Measures are drafted on the basis of the Cybersecurity Law of the PRC, the PRC Data Security Law, the Personal Information Protection Law of the PRC, and other laws and regulations, so as to regulate data export activities, protect rights and interests in personal information, preserve national security and the societal public interest, and to promote the secure and free flow of data across borders.
Article 2: These Measures apply to security assessments for data handlers' provision overseas of important data and personal information that was collected or produced during operations inside the territory of the People's Republic of China. Where laws or administrative regulations otherwise provide, follow those provisions.
Article 3: Data export security assessments are to persist in combining ex-ante assessments and sustained oversight, and combining risk self assessment and security assessments, to prevent security risks in data exports and to ensure the orderly and free flow of data in accordance with law.
Article 4: In any of the following circumstances, data handlers providing data abroad shall report on the data export security assessments through the provincial-level internet information department for their area up to the state internet information department:
(1) Where data handlers provide important data abroad;
(2) Where critical information infrastructure operators or data handlers handling the personal information of 1,000,000 of more persons provide personal information overseas;
(3) Where data handlers providing personal information abroad have cumulatively provided 100,000 persons' personal information or 10,000 persons' sensitive personal information abroad since January 1st of the last year.
(4) Other situations that the state internet information department requires reporting on data export security assessments.
Article 5: Before data handlers make data export security assessment declarations, they should first carry out self-assessments on data export risk, focusing on assessment of the following matters:
(1) The legality, propriety, and necessity of the purpose, scope, and methods, etc. of exporting the data and of the overseas' recipients handling of the data;
(2) The scale, scope, types, and sensitivity of exported data, and protentional risks to national security, public interests, or the lawful rights and interests of individuals and organizations, that might be brought on by the export of data;
(3) The responsibilities and obligations that the overseas recipient has pledged to undertake, as well management and technical measures and capacity for performing the responsibilities and obligations, and whehter they can ensure the security of exported data;
(4) Risks such as of data being altered, destroyed, leaked, lost, or transferred after being exported, or of it being illegally obtained or used; and whether the channels for preserving rights and interests in personal information are clear, etc.;
(5) Whether contracts or other legally effective documents concluded with the foreign recipient related to data exports (collectively "legal documents") fully provide for data security protection responsibilities and obligations;
(6) Other matters that might impact data export security.
Article 6: The following materials shall be submitted in making data export security assessment declarations:
(1) a written declaration;
(2) The data export risk self assessment report;
(3) The legal documents concluded between the data handlers and the overseas recipients;
(4) Other materials required for security assessment work.
Article 7: Provincial-level departments for internet information shall complete inspections on the completeness of materials within 5 working days of receiving a declaration. Where the declaration materials are complete, they are to be sent to the national internet information department; where the materials are not complete, they shall be returned to the data handlers with a one-time notice that the materials need to be supplemented.
The national Internet information department shall make a determination on acceptance within 7 working days of receiving the declaration materials and give written notice to the data handlers.
Article 8: Data export security assessments are to focus on assessing the potential risks to national security, public interests, and the lawful rights and interests of individuals and organizations that might be brought on by the export of data, primarily including the following matters:
(1) The legality, propriety, and necessity of the purpose, scope, and methods, etc. of exporting the data;
(2) The impact on the security of exported data of the data security policies and regulations of the country or region where the overseas recipient is located and its cybersecurity environment; whether the overseas data recipients' level of data protections meet the requirements of the PRC's laws, administrative regulations, and compulsory national standards;
(3) The scale, scope, types, and sensitivity of the exported data, and risks during and after export such as of the data being altered, destroyed, leaked, lost, or transfer, or being illegally obtained or used;
(4) Whether data security and rights and interests in personal information can be fully and effectively safeguarded;
(5) Whether the legal documents that data handlers will conclude with the overseas recipients fully provide for the responsibilities and obligations in protecting data security;
(6) Compliance with Chinese law, administrative regulations, and departmental rules;
(7) Other matters that the state internet information department finds need to be assessed.
Article 9: Data handlers shall make clear agreements on data security responsibilities and obligations in the legal documents concluded with the foreign recipient, including the following content at a minimum:
(1) The purpose and methods of exporting data and the scope of data, the overseas recipients' usages and methods in handling data, and so forth;
(2) The overseas location and duration for data storage, as well as the measures for dealing with the exported data at the end of the storage period, when the agreed on purposes are completed, or after the legal documents have been ended;
(3) Requirements restricting the overseas recipients from further transferring the exported data to other organizations and individuals;
(4) The security measures that shall be employed when there are changes in terms of overseas recipients' authority for actual control or the scope of their operations; when there are changes to the data security policies, regulations, or cybersecurity environment of the country or territory in which they are located; or when other force majeure situations occur that make it difficult to ensure data security;
(5) Remedies, liability for breach of contract, and dispute resolution methods for violations of data security obligations provided for in the legal documents;
(6) The requirements for appropriate emergency response and the channels and methods for individuals to protect their personal information when exported data faces risks such as of being altered, destroyed, leaked, lost, or transferred after being exported, or it being illegally obtained or used;
Article 10: After the state internet information department accepts declarations and based on the circumstances of the declaration, it is to organize the relevant departments of the State Council, provincial-level internet information departments, specialized bodies, and so forth, to conduct a security assessment.
Article 11: Where it is discovered during the security assessment process the declaration materials provided by data handlers do not meet the requirements, the state internet information department may require them to supplement or correct the materials. Where the data handlers do not supplement or correct the materials without legitimate reason, the state internet information department may terminate the security assessment.
Data handlers are responsible for the veracity of all materials they provide, and where they provide false materials they are not to pass the assessment and corresponding legal responsibility is to be pursued in accordance with law.
Article 12: The State internet information department shall complete data export security assessments within 45 working days from the date of its issuing the written notification of acceptance; this may be extended where the circumstances are complex or materials need to be supplemented, and the data handlers are to be informed of the estimated time of the extension.
The data handlers are to be informed in writing of the assessment outcome.
Article 13: Where data handlers have objections to the assessment outcome, they may apply to the state internet information department for a reassessment within 15 working days of receiving the outcome, and the outcome of the reassessment is to be the final conclusion.
Article 14: The validity period for successful data export security assessment outcomes is 2 years calculated from the date on which the outcome is issued. Where any of the following circumstances occurs during the period of validity, the data handlers shall make a new assessment declaration:
(1) Where there are changes to the purpose, methods, scope, and types of data provided abroad, or to the foreign recipients' usage and methods impacting the security of exported data, or where the period for storing personal information or important data is extended;
(2) Where there is a change in the data security policies and regulations or cybersecurity environment of the nation or territory where the foreign recipient is located, there are other situations of force majeure, there is a change in either the data handler's or the foreign recipients' authority for actual control, there is a change in the legal documents between the data handlers and the foreign recipients, or other such matters impact data export security;
(3) Other situations arise that might impact the security of data exports.
Where it will be necessary to continue carrying out data export activities at the completion of the validity period, the data handlers shall make a new assessment declaration 60 working days before the completion of the validity period.
Article 15: The relevant bodies and personnel that participate in security assessment work shall preserve confidentiality in accordance with the law of state secrets, personal privacy, personal information, commercial secrets, confidential commercial information, and so forth that they learn of during the performance of their duties, and must not disclose or illegally provide it to others or illegally use it.
Article 16: Where any organization or individual discovers that data handlers have provided data abroad in violation of these Measures, they may make a report to an internet information department at the provincial level or above.
Article 17: Where data handlers need to continue carrying out data export activities, they shall make corrections as required and make a new assessment declaration after the corrections are completed. Where data handlers need to continue carrying out data export activities, they shall make corrections as required and make a new assessment declaration after the corrections are completed.
Article 18: Where the provisions of these Measures are violated, it is to be addressed on the basis of the PRC Cybersecurity Law, The PRC Data Security Law, the PRC Law on the Protection of Personal Information, and other such laws and regulations; and where a crime is constituted, criminal responsibility is pursued in accordance with law.
Article 19: (3) "Important data" as used in these Measures refers to data that once altered, destroyed, leaked, or illegally obtained or utilized, might endanger national security, economic operations, social stability, or public health and safety.
Article 20: These Measures take effect on September 1, 2022. Where data export activities carried out before these Measures take do not comply with the provisions of these measures, corrections shall be completed within 6 months from the date on which these Measures take effect.